Wednesday, January 28, 2009

BEWARE of Spyware Protect 2009

The name of the malicious program I got today was Something like spyware protector 2009

This site helped alot
http://www.spywarevoid.com/spyware-protect-2009.html

Steps I took to resolve

1.) open regedit and find currentuser>software you should find two new entries one should begin with like a A(Sorry already deleted it) and another one is like protection suite

also look in currentuser>software>microsoft>windows>run and there should be an entry for a exe that begins with s. Note the location of the file and delete

2.) Open Task manager and make sure all processes related to the program are stopped.

3.) Edit your Host file to include
127.0.0.1 www.swp2009.com
127.0.0.1 www.spyprotect2009.com
127.0.0.1 www.sp-protect2009.com

4.) go to file location and delete files

I found...

sysguard.exe
ugobamom.dll
Vsizujuzesec.dll

names apear random so don't expect them to be the same on your system I just used date-time stamps to find all process added around the same time as the program

sorry if this is a little unorganized I am writing it as I go...

So now I am using process explorer to find out what the deal is with those dlls and how to kill everything using them.

I also did a search in the registry and under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

I find 3 entries to delete, the first two appear to start the DLLs and the last seems to make defender hide. So I am deleting those names for referance are
Xriwiwoniqi
Wfarawumifora
Windows Defender


Once again all appear to be random names and actually I just removed the hide flag to defender instead of deleting it

This appears to do it lets restart and see

No comments: